Les protocoles SPF, DKIM et DMARC permettent d'endiguer les attaques d'usurpation et de phishing. Pourtant, de nombreuses entreprises ne disposent pas de ces entrées. Comme l'analyse de sécurité informatique de LocateRisk vérifie entre autres l'existence et la configuration de SPF et DMARC, nous allons maintenant faire la lumière sur ces notions abstraites.
Phishing
Phishing is a staple word in the Cyber security World especially in email security, so let's begin here. In this social engineering method hackers use a fake trusted identity to send emails to the victim posing to be a sender from a domain known to the victim. The result of this could be access to credit card numbers, passwords and other private information.
SPF, DKIM and DMARC
They are a set of email authentication protocols used to prove to ISPs and email servers that the sender is indeed authorised to send email from a specific domain. These protocols prevent phishing attacks by proving that the sender is actually who they claim to be. Using these to verify your account will make you a trustworthy sender to the servers on the receiving end. The acronyms stand for:
SPF: Sender Policy Framework
DKIM: Domain Keys Identified Mail
DMARC: Domain-based Message Authentication Reporting and Conformance
What is SPF?
SPF Authentication specifies which servers are allowed to send email on behalf of your domain. The server on the receiving end of an email will receive the list (SPF-Record) of servers allowed to send email through your Domain Name. If the sending server is not listed on the SPF record of that Domain, the email will fail the authentication test and could either be quarantined or rejected
An SPF record is created by setting a txt record in the domain DNS that is published by your domain administrator. Below is an example of an SPF record. v=spf1 ip4:1.2.3.4 ip4:200.199.198.197 include:spf.mailjet.com include:_spf.google.com ~all
Step 1
set a txt record. An SPF record begins with a statement of the version used v=spf1 in the txt record
Step 2
Then come the IP addresses of all the mail servers that may use your domain to send mail. These can be listed as a range of IP addresses or single IP addresses all starting with the IP version ip4: or ip6: .
Step 3
Third party providers allowed to use your domain are listed with include: In our example above, mailjet.com and google.com are third party mail servers allowed to send mail through that domain.
Step 4
Once all your servers have been added, you can either end your SPF record with ~all (softfail) or -all (hardfail) and save.
Softfail means emails from unauthorised servers (servers not on the SPF record) should still be allowed through, but marked as spam or suspicious. Hardfail on the other hand dictates that the unauthorised email be discarded. Once created, the SPF record can then be published by your domain administrator. Note that it may take 24 hours or more for the changes to take effect.
DKIM is responsible for the Integrity of the email. It ensures that the content of a sent email is not altered as it moves from server to server across the internet to the designated recipient. By using a Hash-algorithm on the email content, a string of numbers called the hash value is created. Changing even as much as a comma in the content will lead to a complete change in the hashvalue. In order to verify the Integrity of the email, the receiving mail server calculates its own hash value and compares it with the received hashvalue. If they are not the same, then the message cannot be trusted.
Similar to SPF, DKIM also sets a txt record in the domain to create a DKIM record, but a public and private key have to be created(Asymmetric encryption).
A DKIM record could look like this:
v=DKIM1\;k=rsa\;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3QEKyU1fSma0axspqYK5iAj+54lsAg4qRRCnpKK68hawSd8zpsDz77ntGCR0X2mHVvkf0WEOIqaspaG/A5IGxieiWer+wBX8lW2tE4NHTE0PLhHqL0uD2sif2pKoPR3Wr6n/rbiihGYCIzvuY4/U5GigNUGls/QUbCPRyzho30wIDAQAB
It consists of the DKIM version v=DKIM1, the encryption Algorithm used k=rsa k=rsa and the public key p=.. The private key is used to encrypt the hashed email and never leaves the sending server. The public key is published in the DKIM record of the domain and is included in the header of the email. When the receiving server receives the email, it does the following:
Step 1
Create a new txt record in the DNS settings for your domain. You will receive the domainkey from your e-mail provider. For example: newsletter2022._domainkey.yourdomainname.com
Enter the name in the corresponding field.
Step 2
Generate a DKIM keypair via your e-mail provider and copy the public key, for example k=rsa; p=NIIVAIMAhgzifoH4ZFZPEQIR (Public key) in the txt record created on your domain
Step 3
After saving, check whether the digital signature works by sending an e-mail to an address at Gmail or Outlook.com, for example. There you can see the raw content of the message. There should be a dkim=pass in the header.
for Gmail click on the three dots on the top right corner of the message, then choose show original.
DMARC works in email Authentication by matching the validity of SPF and DKIM records. With the DMARC record, the receiving server gets a set of instructions or policies set by the domain owner. The instructions tell the receiving server what to do with an email that does not pass the authentication test; quarantine or discard. DMARC also shows which protocols SPF, DKIM or both have been implemented and generates a report for the sender, so they can fight spoofing on their end.
To set up a DMARC record (which is also a txt record on the domain DNS) either DKIM, SPF or both must be active. A typical DMARC record looks like this: v=DMARC1; p=reject; rua=mailto:dmarc_reports@yourdomainname.com
v – indicates the version of DMARC protocol being used.
p – gives the policy to follow for unauthorised emails:
None – do nothing, lets the mail through
Quarantine – place mail in spam folder
Reject – Discard mail
rua – tells where to send the report for emails that do not pass the authentication test
Step 1
Set a txt record in the DNS settings of your domain
Step 2
Copy the host/name and value/destination provided by your email provider and paste them into the appropriate fields.
Step 3
Test your settings as already described under DKIM (Step 3) by sending an e-mail to a Gmail or Outlook address. Ideally, the header of the sent e-mail will look like this.
SPF, DKIM and DMARC serve email security and should be activated as part of your security concept. As part of a LocateRisk analysis, the category "DNS" is checked to see whether SPF and DKIM records are present and your mail server is well protected. If you are not sure whether your organisation uses SPF and DMARC, you should definitely check. We are always amazed at how many organisations put their security at risk by not setting these records.
Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.
English 
Deutsch 
Français